Merge "fix(security): workaround for CVE-2022-23960 for Cortex-X1" into integration

Merge "fix(errata): workarounds for cortex-x1 errata" into integration

Merge "feat(cpu): add support for Cortex-X1" into integration

feat(plat/arm/fvp): enable RSS backend based measured boot

Enable the RSS backend based measured boot feature.
In the absence of RSS the mocked version of PSA APIs
are used. They always return with

feat(plat/arm/fvp): enable RSS backend based measured boot

Enable the RSS backend based measured boot feature.
In the absence of RSS the mocked version of PSA APIs
are used. They always return with success and hard-code data.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I7543e9033a7a21f1b836d911d8d9498c6e09b956

show more ...

feat(lib/psa): mock PSA APIs

Introduce PLAT_RSS_NOT_SUPPORTED build config to
provide a mocked version of PSA APIs. The goal is
to test the RSS backend based measured boot and
attestation token requ

feat(lib/psa): mock PSA APIs

Introduce PLAT_RSS_NOT_SUPPORTED build config to
provide a mocked version of PSA APIs. The goal is
to test the RSS backend based measured boot and
attestation token request integration on such
a platform (AEM FVP) where RSS is otherwise
unsupported. The mocked PSA API version does
not send a request to the RSS, it only returns
with success and hard-coded values.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ice8d174adf828c1df08fc589f0e17abd1e382a4d

show more ...

feat(drivers/measured_boot): add RSS backend

Runtime Security Subsystem (RSS) provides for the host:
- Runtime service to store measurments, which were
computed by the host during measured boot.

feat(drivers/measured_boot): add RSS backend

Runtime Security Subsystem (RSS) provides for the host:
- Runtime service to store measurments, which were
computed by the host during measured boot.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Ia9e4e8a1fe8f01a28da1fd8c434b780f2a08f94e

show more ...

feat(drivers/arm/rss): add RSS communication driver

This commit adds a driver to conduct the AP's communication
with the Runtime Security Subsystem (RSS).
RSS is Arm's reference implementation for t

feat(drivers/arm/rss): add RSS communication driver

This commit adds a driver to conduct the AP's communication
with the Runtime Security Subsystem (RSS).
RSS is Arm's reference implementation for the CCA HES [1].
It can be considered as a secure enclave to which, for example,
certain services can be offloaded such as initial attestation.

RSS comms driver:
- Relies on MHU v2.x communication IP, using a generic MHU API,
- Exposes the psa_call(..) API to the upper layers.

[1] https://developer.arm.com/documentation/DEN0096/latest

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
Change-Id: Ib174ac7d1858834006bbaf8aad0eb31e3a3ad107

show more ...

feat(lib/psa): add initial attestation API

Supports:
- Get Platform Attestation token from secure enclave

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Icaeb7b4eaff08e10f449fbf752068de3a

feat(lib/psa): add initial attestation API

Supports:
- Get Platform Attestation token from secure enclave

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: Icaeb7b4eaff08e10f449fbf752068de3ac7974bf

show more ...

feat(lib/psa): add measured boot API

A secure enclave could provide an alternate
backend for measured boot. This API can be used
to store measurements in a secure enclave, which
provides the measure

feat(lib/psa): add measured boot API

A secure enclave could provide an alternate
backend for measured boot. This API can be used
to store measurements in a secure enclave, which
provides the measured boot runtime service.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Change-Id: I2448e324e7ece6b318403c5937dfe7abea53d0f3

show more ...

feat(drivers/arm/mhu): add MHU driver

The Arm Message Handling Unit (MHU) is a mailbox controller used to
communicate with other processing element(s). Adding a driver to
enable the communication:
-

feat(drivers/arm/mhu): add MHU driver

The Arm Message Handling Unit (MHU) is a mailbox controller used to
communicate with other processing element(s). Adding a driver to
enable the communication:
- Adding generic MHU driver interface,
- Adding MHU_v2_x driver.

Driver supports:
- Discovering available MHU channels,
- Sending / receiving words over MHU channels,
- Signaling happens over a dedicated channel.

Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Signed-off-by: David Vincze <david.vincze@arm.com>
Change-Id: I41a5b968f6b8319cdbdf7907d70bd8837839862e

show more ...

fix(security): workaround for CVE-2022-23960 for Cortex-X1

Implements the loop workaround for Cortex-X1.

Signed-off-by: Okash Khawaja <okash@google.com>
Change-Id: I5828a26c1ec3cfb718246ea5c3b099da

fix(security): workaround for CVE-2022-23960 for Cortex-X1

Implements the loop workaround for Cortex-X1.

Signed-off-by: Okash Khawaja <okash@google.com>
Change-Id: I5828a26c1ec3cfb718246ea5c3b099dabc0fb3d7

show more ...

fix(errata): workarounds for cortex-x1 errata

This patch adds workarounds for following cortex-x1 errata:

- 1821534 (CatB)
- 1688305 (CatB)
- 1827429 (CatB)

SDEN can be found here:
https://develop

fix(errata): workarounds for cortex-x1 errata

This patch adds workarounds for following cortex-x1 errata:

- 1821534 (CatB)
- 1688305 (CatB)
- 1827429 (CatB)

SDEN can be found here:
https://developer.arm.com/documentation/SDEN1401782/latest

Signed-off-by: Okash Khawaja <okash@google.com>
Change-Id: I10ebe8d5c56a6d273820bb2c682f21bf98daa7a5

show more ...

feat(cpu): add support for Cortex-X1

This patch adds basic CPU library code to support Cortex-X1 CPU in TF-A.
Follow-up patches will add selected errata workarounds for this CPU.

Signed-off-by: Oka

feat(cpu): add support for Cortex-X1

This patch adds basic CPU library code to support Cortex-X1 CPU in TF-A.
Follow-up patches will add selected errata workarounds for this CPU.

Signed-off-by: Okash Khawaja <okash@google.com>
Change-Id: I4a3d50a98bf55a555bfaefeed5c7b88a35e3bc21

show more ...

docs: update release and code freeze dates

Change-Id: I72d200a0cfbcb4ef53b732faa5b7125dce91395d
Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>

fix(intel): add flash dcache after return response for INTEL_SIP_SMC_MBOX_SEND_CMD

This patch is to add flash dcache after return
response in INTEL_SIP_SMC_MBOX_SEND_CMD.

Signed-off-by: Sieu Mun Ta

fix(intel): add flash dcache after return response for INTEL_SIP_SMC_MBOX_SEND_CMD

This patch is to add flash dcache after return
response in INTEL_SIP_SMC_MBOX_SEND_CMD.

Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: Ie9451e352f2b7c41ebb44a1f6be9da35f4600fb9

show more ...

fix(intel): extending to support large file size for SHA2/HMAC get digest and verifying

This patch is to extend to support large file size
for SHA2/HMAC get digest and verifying. The large
file will

fix(intel): extending to support large file size for SHA2/HMAC get digest and verifying

This patch is to extend to support large file size
for SHA2/HMAC get digest and verifying. The large
file will be split into smaller chunk and send using
initialize, update and finalize staging method.

Signed-off-by: Yuslaimi, Alif Zakuan <alif.zakuan.yuslaimi@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I1815deeb61287b32c3e77c5ac1b547b79ef12674

show more ...

fix(intel): extending to support large file size for SHA-2 ECDSA data signing and signature verifying

This patch is to extend to support large file size
for SHA-2 ECDSA data signing and signature ve

fix(intel): extending to support large file size for SHA-2 ECDSA data signing and signature verifying

This patch is to extend to support large file size
for SHA-2 ECDSA data signing and signature verifying.
The large file will be split into smaller chunk and
send using initialize, update and finalize staging method.

Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: If277b2b375a404fe44b0858006c8ba6316a5ce23

show more ...

fix(intel): extending to support large file size for AES encryption and decryption

This patch is to extend to support large file size
for AES encryption and decryption. The large file
will be split

fix(intel): extending to support large file size for AES encryption and decryption

This patch is to extend to support large file size
for AES encryption and decryption. The large file
will be split into smaller chunk and send using
initialize, update and finalize staging method.

Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: Ie2ceaf247e0d7082aad84faf399fbd18d129c36a

show more ...

feat(intel): support version 2 SiP SVC SMC function ID for mailbox commands

A separated SMC function ID of mailbox command
is introduced for the new format of SMC protocol.

The new format of SMC pr

feat(intel): support version 2 SiP SVC SMC function ID for mailbox commands

A separated SMC function ID of mailbox command
is introduced for the new format of SMC protocol.

The new format of SMC procotol will be started
using by Zephyr.

Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I7996d5054f76c139b5ad55451c373f5669a1017f

show more ...

feat(intel): support version 2 SiP SVC SMC function ID for non-mailbox commands

A separated SMC function ID of non-mailbox command
is introduced for the new format of SMC protocol.

The new format o

feat(intel): support version 2 SiP SVC SMC function ID for non-mailbox commands

A separated SMC function ID of non-mailbox command
is introduced for the new format of SMC protocol.

The new format of SMC procotol will be started
using by Zephyr.

Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I01cff2739364b1bda2ebb9507ddbcef6095f5d29

show more ...

fix(intel): update certificate mask for FPGA Attestation

Update the certificate mask to 0xff to cover all certificate
in Agilex family.

Signed-off-by: Boon Khai Ng <boon.khai.ng@intel.com>
Signed-o

fix(intel): update certificate mask for FPGA Attestation

Update the certificate mask to 0xff to cover all certificate
in Agilex family.

Signed-off-by: Boon Khai Ng <boon.khai.ng@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: Id40bc3aa4b3e4f7568a58581bbb03a75b0f20a0b

show more ...

feat(intel): update to support maximum response data size

Update to support maximum (4092 bytes) response data size.
And, clean up the intel_smc_service_completed function to
directly write the resp

feat(intel): update to support maximum response data size

Update to support maximum (4092 bytes) response data size.
And, clean up the intel_smc_service_completed function to
directly write the response data to addr to avoid additional
copy.

Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com>
Signed-off-by: Boon Khai Ng <boon.khai.ng@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I0a230e73c563d22e6999ad3473587b07382dacfe

show more ...

feat(intel): support ECDSA HASH Verification

Supporting the command to send digital signature verification
request on a data blob. This include ECC algorithm such as
NISP P-256, NISP P-384, Brainpoo

feat(intel): support ECDSA HASH Verification

Supporting the command to send digital signature verification
request on a data blob. This include ECC algorithm such as
NISP P-256, NISP P-384, Brainpool 256 and, Branpool 384

Signed-off-by: Boon Khai Ng <boon.khai.ng@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: Ic86f531bfe7cc7606699f2b064ac677aaf806a76

show more ...

feat(intel): support ECDSA HASH Signing

Supporting the command to send digital signature signing
request on a data blob. This include ECC algorithm such as
NISP P-256, NISP P-384, Brainpool 256 and,

feat(intel): support ECDSA HASH Signing

Supporting the command to send digital signature signing
request on a data blob. This include ECC algorithm such as
NISP P-256, NISP P-384, Brainpool 256 and, Branpool 384

Signed-off-by: Boon Khai Ng <boon.khai.ng@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: I12cf0f1ceaf07c33a110eae398d3ad82a9b13d38

show more ...

feat(intel): support ECDH request

This command sends the request on generating a share secret on
Diffie-Hellman key exchange.

Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com>
Signed-off-

feat(intel): support ECDH request

This command sends the request on generating a share secret on
Diffie-Hellman key exchange.

Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com>
Signed-off-by: Boon Khai Ng <boon.khai.ng@intel.com>
Signed-off-by: Sieu Mun Tang <sieu.mun.tang@intel.com>
Change-Id: Ic7c8470cf036ea8c17bf87401f49936950b3e1d6

show more ...